Re: Help with OpenSSH
Last time I checked, tunneling a port over ssh was was selected by the person setting up the tunnel. Only the specific port where ssh listened was under the admin control. That is usually 22/tcp, but I never simply forward that port from public IPs. Use your router to do forwarding AND port translation. Pick a high port on the router, but forward it to server:22 like always. That way you don't need to change any defaults internally and normal ssh security techniques work without changing the internal port setup.
Originally Posted by The Cog
Monitoring what other people are doing on UNIX/Linux is easy, if you know the commands. Sadly, I can't tell you the commands to use here, since there are a mix completely dependent on what you want to monitor. ps, vmstat, lsof,and many others will do that. I'd suggest that read UNIX Power Tools from O'Reilly to get a feel.
You can ban a user easy. Lock their user account.
You can throttle a user easily, use iptables.
I wouldn't allow people to tunnel through my servers unless they were paying, we had a legal contract that prohibited illegal use, and I was 100% positive they wouldn't use it for porn or copyright violations.
If they have a shell on the box, then local root-escalations are possible on many Linux systems. The community is much more concerned about remote access and remote root access, which is much worse, but there have been some ingenious local root escalations over the years.
BTW, buying a server for an ssh tunnel seems like overkill. I hope you plan to do something else with it. A $75 Atom-based mini-PC or $22 ARM device can easily provide an ssh tunnel.
I hope you are using key-based authentication, not passwords, and have fail2ban or similar running too. There's no need for anyone without credentials to get free password cracking access forever.
Linux User since 1993. Loving Linux since 1996.
When you find the solution, please come back to this thread, explain the solution, and mark it SOLVED to help the next guy.